A goal of endpoint profiling is to provide visibility as to the type and/or identity of the endpoint device. Determining a name or description of the endpoint device is useful. Another more important goal of endpoint profiling is to provide insight as to what software may be expected on the device and its security risk profile. This involves classifying and tagging the device as, for example, a printer, phone, television, laptop, tablet, or personal computer for purposes of applying a security policy based on a need to know and/or a policy. For example, a data should flow one-way for a printer.
A Media Access Control (MAC) address, and in particular the Organizationally Unique Identifier (OUI) portion of a MAC address, is a useful starting point for device profiling. The OUI portion provides a good indication of the device type if the manufacturer is specialized in making only certain devices. However, more often the OUI is too general. If a manufacturer makes personal computers, televisions, SmartPhones, and printers, the OUI data would be too general and ambiguous. Furthermore, information needs to be gathered from data such as a “User-Agent” field or string via the Hypertext Transfer Protocol (HTTP), for example. When a software agent operates in accordance with a network protocol, it often identifies itself, its application type, operating system, software vendor, or software revision, by submitting a characteristic identification string to its operating peer. In HTTP, the Session Initiation Protocol (SIP) and other protocols, this identification is contained in a header field called User-Agent. In HTTP, the User-Agent string is often used for content negotiation, where the origin server selects suitable content or operating parameters for the response.
As with many other HTTP request headers, the information in the User-Agent string contributes to the information that the client sends to the server, since the string can vary considerably from user to user. Also, the User-Agent string may involve interpretation and a new release of an operating system means there would be devices that the system has no prior knowledge of in order to find a match against a database.